CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15004 – OX App Suite / OX Documents 7.10.3 XSS / Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2020-15004
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS. OX App Suite versiones hasta 7.10.3, permite un ataque de tipo XSS de stats/diagnostic?param= OX App Suite and OX Documents versions 7.10.3 and some prior versions suffer from information exposure, server-side request forgery, and cross site scripting vulnerabilities. • https://seclists.org/fulldisclosure/2020/Oct/20 https://www.open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2020-15003 – OX App Suite / OX Documents 7.10.3 XSS / Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2020-15003
OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access). OX App Suite versiones hasta 7.10.3, permite una Exposición de Información porque un usuario puede obtener la dirección IP y la cadena User-Agent de un usuario diferente (por medio de la API de sesión durante el acceso a la Unidad compartida) OX App Suite and OX Documents versions 7.10.3 and some prior versions suffer from information exposure, server-side request forgery, and cross site scripting vulnerabilities. • https://seclists.org/fulldisclosure/2020/Oct/20 https://www.open-xchange.com •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 3CVE-2020-15002 – OX App Suite / OX Documents 7.10.3 XSS / Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2020-15002
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API. OX App Suite versiones hasta 7.10.3, permite un ataque de tipo SSRF por medio de la API de mensajes /ajax/messaging/message OX App Suite and OX Documents versions 7.10.3 and some prior versions suffer from information exposure, server-side request forgery, and cross site scripting vulnerabilities. • https://github.com/skr0x1c0/SSRF-CVE-2020-15002 https://github.com/skr0x1c0/Blind-SSRF-CVE-2020-15002 https://seclists.org/fulldisclosure/2020/Oct/20 https://www.open-xchange.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12643 – OX App Suite / OX Documents XSS / SSRF / Bypass
https://notcve.org/view.php?id=CVE-2020-12643
OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. OX App Suite versiones 7.10.3 y anteriores, presentan un Control de Acceso Incorrecto por medio de una petición de /api/subscriptions para un fragmento que contiene una dirección de correo electrónico OX App Suite and OX Documents suffer from access control bypass, cross site scripting, and improper input validation vulnerabilities. Multiple version ranges are affected. • http://seclists.org/fulldisclosure/2020/Aug/14 https://www.open-xchange.com • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12646 – OX App Suite / OX Documents XSS / SSRF / Bypass
https://notcve.org/view.php?id=CVE-2020-12646
OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document. OX App Suite versiones 7.10.3 y anteriores, permiten un ataque de tipo XSS por medio de texto/x-javascript, texto/rdf o un documento PDF OX App Suite and OX Documents suffer from access control bypass, cross site scripting, and improper input validation vulnerabilities. Multiple version ranges are affected. • https://exchange.xforce.ibmcloud.com/vulnerabilities/187114 https://www.open-xchange.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •